Opened 7 years ago
Closed 7 years ago
#3866 closed defect (fixed)
Server crashing sometimes from large values in twkb encoding
| Reported by: | nicklas | Owned by: | nicklas |
|---|---|---|---|
| Priority: | medium | Milestone: | PostGIS 2.3.4 |
| Component: | postgis | Version: | 2.3.x |
| Keywords: | Cc: |
Description
The attached geometry writes beyond the buffer.
In some cases it crashes the server.
It is caused from a large value that encodes to a variable integer of 10 bytes instead of the expected max 8 bytes. Most of the time this doesn't do any harm. But if the preceding point leaves exactly 8 bytes left in the buffer, the space check will not reallocate and writing 9 or 10 bytes will cause writing beyond the buffer.
Attachments (1)
Change History (7)
by , 7 years ago
comment:1 by , 7 years ago
comment:3 by , 7 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
comment:4 by , 7 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
need to put this in NEWS for 2.2 and 2.3. For 2.4 not necessary.
Note:
See TracTickets
for help on using tickets.
increased the expected max size of variable integer to 16 bytes instead of 8 bytes.
That should always be enough since the value gets truncated by casting to int64_t before encoding to variable integer
fixed in trunk r15817